Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

Bug in Top AI Coding Agents Reveals Enduring Security Headaches



A recent discovery by Google-owned security biz Wiz reveals a bug in top AI coding agents that can be exploited to trick developers into accessing files outside their workspace sandbox, leading to remote code execution. The issue affects six widely used AI coding assistants, including Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. While some companies have patched the vulnerability, others have not, highlighting the need for better security practices and shared responsibility between developers and agentic AI providers.

  • The six widely used AI coding assistants - Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf - are vulnerable to a "GhostApproval" attack that can trick agents into accessing files outside the workspace sandbox.
  • The vulnerability allows attackers to execute remote code on the developer's machine due to the lack of clear confirmation prompts in the affected coding assistants.
  • The security gap stems from the use of symbolic links, which are files that serve as a shortcut to another file or directory, and can be used to bypass security boundaries and access unauthorized files.
  • Many of these coding tools use sandboxes or confirmation dialogs, but the affected assistants did not display critical information clearly in the prompts, rendering human-in-the-loop safety nets ineffective.
  • The vulnerability highlights the need for better security principles and practices when it comes to new AI architectures, as well as regular security testing and patching.



  • Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf, six of the most widely used AI coding assistants, have been found to be vulnerable to a "GhostApproval" attack that can trick agents into accessing files outside the workspace sandbox, leading to remote code execution on the developer's machine.

    The security gap, named "GhostApproval," was discovered by Google-owned security biz Wiz and reported to all six affected companies. Amazon, Cursor, and Google deemed the flaw critical or high-severity, fixed it, and either already issued a CVE tracker or are in the process of getting that done. REG AD

    Anthropic acknowledged the vulnerability report but did not patch the issue or warn users. Augment and Windsurf also acknowledged the vulnerability report but have not patched the issue or warned users.

    Wiz pointed out that the coding assistants recognized that the symlink pointed to a dangerous target, but the confirmation prompt shown to the users hid this target, rendering the human-in-the-loop safety net useless. "The user approves what they believe is a harmless local edit; the agent writes to a sensitive file outside of the project workspace," Wiz threat researcher Maor Dokhanian said.

    The problem stems from a long-standing security headache called symbolic links, or symlinks, which are files that serve as a shortcut to another file or directory. They do not actually contain data, but rather the path to the target file. This functionality has led to a long history of attackers using symlinks to bypass security boundaries and access unauthorized files.

    GhostApproval takes this ancient security bypass trick and applies it to AI coding agents. The attack itself is simple: an attacker creates a malicious repository by creating a symlink disguised as a config file, then clones the repository and asks their AI agent to set up the workspace or follow the README. The agent reads the instructions and writes the attacker's SSH public key to the victim’s “~/.ssh/authorized_keys” file.

    Many of these coding tools use sandboxes or confirmation dialogs, which are pop-up dialog boxes in which the agent essentially asks the users to confirm they want to take this action. However, Wiz found that these coding assistants recognized that the symlink pointed to a dangerous target but did not display it clearly in the confirmation prompt, rendering the human-in-the-loop safety net useless.

    Anthropic called the issue "outside our threat model" and did nothing. Google also deemed it critical, fixed it, and issued a CVE tracker for its affected version of Antigravity. AWS, Cursor, and Amazon also classified the issue as high-severity or critical and fixed it.

    Wiz notes that the GhostApproval vulnerability highlights the trust-boundary debate between users, AI agents, and local filesystems. "For one, human-in-the-loop isn't always the safety net it appears to be," Dokhanian said. "When the confirmation prompt hides critical information, developers can't make informed decisions - the approval becomes a rubber stamp."

    The security gap in GhostApproval is a serious threat to enterprises rushing to deploy code-writing agents in their environments. It highlights the need for better security principles and practices when it comes to new AI architectures.

    In response to this vulnerability, Wiz calls on developers and agentic AI providers to share responsibility for patching these issues. "This is a shared responsibility: developers need to think about what code they ask their agents to work with, the same way they'd think about what code they run themselves," an Augment spokesperson said.

    The GhostApproval vulnerability serves as a reminder that even the most advanced AI coding assistants are not immune to security vulnerabilities and highlights the importance of regular security testing and patching.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Bug-in-Top-AI-Coding-Agents-Reveals-Enduring-Security-Headaches-ehn.shtml

  • https://www.theregister.com/security/2026/07/08/bug-in-top-ai-coding-agents-shows-that-unix-era-security-headaches-never-really-die/5268025


  • Published: Wed Jul 8 09:52:45 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us